CVE-2022-45797 Overview
An arbitrary file deletion vulnerability exists in the Damage Cleanup Engine component of Trend Micro Apex One and Trend Micro Apex One as a Service. This vulnerability could allow a local attacker with low-privileged access to escalate privileges and delete arbitrary files on affected installations.
The vulnerability requires an attacker to first obtain the ability to execute low-privileged code on the target system before exploitation is possible. Once this initial access is achieved, the attacker can leverage the flaw to delete critical system files, potentially leading to system instability, denial of service, or facilitating further privilege escalation attacks.
Critical Impact
Local attackers with low-privileged access can delete arbitrary files on Windows systems running Trend Micro Apex One, potentially causing system instability or enabling further attacks.
Affected Products
- Trend Micro Apex One 2019
- Trend Micro Apex One as a Service (SaaS)
- Microsoft Windows (as the operating platform)
Discovery Timeline
- 2022-12-12 - CVE-2022-45797 published to NVD
- 2025-04-24 - Last updated in NVD database
Technical Details for CVE-2022-45797
Vulnerability Analysis
This vulnerability affects the Damage Cleanup Engine component within Trend Micro Apex One. The Damage Cleanup Engine is responsible for removing malicious files and cleaning up system modifications made by malware. Due to improper handling of file operations within this component, an attacker can manipulate the engine to delete arbitrary files on the system.
The attack requires local access with low privileges, meaning an attacker must already have some form of code execution capability on the target system. However, no user interaction is required once this initial foothold is established. The vulnerability primarily impacts system integrity and availability, as arbitrary file deletion can corrupt system functionality or destroy critical data.
Root Cause
The root cause of this vulnerability lies in insufficient validation or access control within the Damage Cleanup Engine's file deletion routines. When the engine processes cleanup operations, it fails to properly verify whether the target files should be accessible to the requesting user's privilege level. This allows a low-privileged attacker to redirect or manipulate the deletion operations to target files outside their normal access scope.
Attack Vector
The attack vector is local, requiring the attacker to have already obtained code execution on the target system with low-privileged credentials. The exploitation flow typically involves:
- An attacker gains initial access to a Windows system running Trend Micro Apex One
- The attacker identifies the vulnerable Damage Cleanup Engine component
- By manipulating file paths or leveraging symbolic links, the attacker triggers the cleanup engine to delete arbitrary files
- Critical system files or security-related files are deleted, potentially enabling privilege escalation or causing denial of service
The vulnerability mechanism exploits improper file operation handling within the Damage Cleanup Engine. An attacker with local access can craft requests or manipulate file system structures (such as symbolic links or junction points) to redirect the cleanup engine's deletion operations toward protected system files. Technical details are available in the Trend Micro Security Advisory.
Detection Methods for CVE-2022-45797
Indicators of Compromise
- Unexpected file deletions in system directories or protected folders not associated with legitimate cleanup operations
- Suspicious process activity from the Damage Cleanup Engine component targeting files outside its normal scope
- Creation of symbolic links or junction points in locations typically accessed by Trend Micro Apex One
- Event logs showing file deletion operations by Trend Micro services on unexpected file paths
Detection Strategies
- Monitor file system activity from Trend Micro Apex One processes, particularly the Damage Cleanup Engine, for unusual deletion patterns
- Implement file integrity monitoring (FIM) on critical system directories and configuration files
- Analyze Windows Security event logs for anomalous file access and deletion events correlated with Apex One service activity
- Deploy endpoint detection rules to identify symbolic link or junction point manipulation targeting Apex One directories
Monitoring Recommendations
- Enable detailed auditing of file system operations in Windows Security Event Logs
- Configure SentinelOne Singularity to monitor and alert on suspicious file deletion activity from endpoint security product processes
- Establish baseline behavior for Trend Micro Apex One file operations and alert on deviations
- Monitor for privilege escalation attempts following file deletion events
How to Mitigate CVE-2022-45797
Immediate Actions Required
- Apply the latest security patches from Trend Micro immediately for all Apex One installations
- Review the official Trend Micro Security Advisory for specific patch versions and instructions
- Conduct an audit of systems running Trend Micro Apex One to identify potentially compromised installations
- Limit local access to systems running Apex One to authorized personnel only
Patch Information
Trend Micro has released security updates to address this vulnerability. Administrators should consult the Trend Micro Solution Overview for detailed patch information, affected version specifics, and upgrade instructions. It is critical to apply these patches to both on-premises Apex One 2019 installations and verify that Apex One as a Service (SaaS) deployments have been automatically updated.
Workarounds
- Restrict local user access to systems running Trend Micro Apex One until patches can be applied
- Implement strict access controls and principle of least privilege for all users on affected systems
- Monitor the Damage Cleanup Engine component for suspicious activity as an interim measure
- Consider temporarily disabling non-essential cleanup operations if operationally feasible until patching is complete
Administrators should prioritize patching as the primary remediation strategy. For detailed mitigation steps, refer to the official vendor advisory at the Trend Micro Support Portal.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
